b' Pension Benefit Guaranty Corporation\n       Office of Inspector General\n              Audit Report\n\n\n\n\nPBGC Needs to Improve Controls to Better\nProtect Participant Personally Identifiable\n             Information (PII)\n\n\n\n\n            September 16, 2010\n                                      2010\xe2\x80\x9009\xc2\xa0/\xc2\xa0IT\xe2\x80\x9009\xe2\x80\x9067\n\x0c                                Pension Benefit Guaranty Corporation\n                                                               Office of Inspector General\n                                                1200 K Street, N.W., Washington, D.C. 20005-4026\n\n\n                                                                                  September 16, 2010\n\nTO:             Richard Macy\n                Acting Chief Information Officer\n\nFROM:\n                Joseph A. Marchowsky\n                Assistant Inspector General for Audit\n\nSUBJECT:        PBGC Needs to Improve Controls to Better Protect Participant Personally\n                Identifiable Information (PII)\n\n\nThis report describes the findings identified during our audit of protections over Personally\nIdentifiable Information (PII) in the Actuarial Calculation Toolkit (ACT). We initiated this audit\nbased on a whistleblower complaint alleging that PBGC plan participant data was being transferred\nto an unsecured application that was non-compliant with applicable information technology security\nstandards. Our audit objective was to evaluate the whistleblower\xe2\x80\x99s concerns dealing with the\nprotection of PII in ACT, including determining whether PBGC had taken steps to ensure that ACT\nmet Federal Information Security Management Act (FISMA) requirements and best practices.\n\nWe found that ACT is a critical system to PBGC\xe2\x80\x99s mission, and its core function. The lack of system\ncontrols has put the PII for approximately 1 million participants at risk. The report discusses our\nfindings and recommendations to ensure PBGC develops and implements controls to protect PII in\nACT.\n\nPBGC agreed with all recommendations and we concurred with the Corporations corrective actions.\nWe look forward to evaluating PBGC\xe2\x80\x99s implementation of the controls necessary to better secure\nparticipant PII and we would like to take this opportunity to express our appreciation for the\ncooperation we received while performing this audit.\n\n\n\n.\n\x0cOIG Report AUD-2010-9 / IT-09-67\n\x0cRESULTS IN BRIEF\nThe Personally Identifiable Information (PII) for approximately 1 million1 participants is currently at\nrisk because PBGC has not implemented adequate controls in its automated Actuarial Calculation\nToolkit (ACT). PBGC management acknowledged that the disclosure, modification, or loss of\naccess to ACT data would have a serious adverse impact on the Corporation. Nevertheless, ACT\nwas incorrectly classified as a minor system -- \xe2\x80\x9ca tool kit\xe2\x80\x9d -- and the Corporation did not perform\nthe security assessment mandated by federal standards or take needed actions to mitigate risk.\n\nWe initiated this audit based on a whistleblower complaint alleging that PBGC plan participant data\nwas being transferred to an unsecured application that was non-compliant with applicable\ninformation technology security standards. The complainant also asserted that the Chief\nTechnology Officer (CTO) had issued a waiver permitting PBGC to delay compliance with Federal\nInformation Security Management Act (FISMA) requirements. Our audit confirmed that PBGC\nwas transferring data to a non-compliant application. However, we found no evidence that a waiver\nof the type reported by the whistleblower had been issued.\n\nFor PBGC, the calculation of an individual participant\xe2\x80\x99s final pension benefit is a core function.\nPBGC relies on one of two systems for this important actuarial calculation \xe2\x80\x93 Ariel, a system\nadministered by a Canadian firm and located on servers in Canada and ACT, a PBGC developed\napplication resident on PBGC\xe2\x80\x99s network in Washington, DC. In 2008, PBGC concluded that Ariel\nwas requiring so many resources, in terms of both staff time and money (8 years and $31 million),\nthat the Corporation determined to begin the process of transitioning pension plan participant\ninformation from Ariel into ACT.\n\nACT is a customized Microsoft product and is currently PBGC\xe2\x80\x99s primary system for calculating a\nparticipant\xe2\x80\x99s final pension benefit. ACT is a spreadsheet-based system. Each participant\xe2\x80\x99s data is\nentered in a row or number of rows (depending on the number of data items needed). Within these\nrows, actuaries build programs and calculations that use available pension data to calculate the\nparticipant\xe2\x80\x99s final benefit amount. While PBGC management has recognized ACT\xe2\x80\x99s security\nlimitations, to date the agency has not taken proactive steps to mitigate those weaknesses.\n\nPBGC\xe2\x80\x99s decision to transition away from Ariel was an appropriate one, given the system\xe2\x80\x99s high cost\nand the scope-creep the project encountered. However, the decision to transition from Ariel to\nACT should have been coupled with a comprehensive analysis of ACT\xe2\x80\x99s security controls, with\nspecial emphasis on those controls intended to protect PII, such as participant Social Security\nnumbers. Furthermore, PBGC should have identified and implemented compensating controls to\nmitigate risk. For instances in which risk could not be reasonably mitigated, the risks should have\nbeen documented, analyzed and accepted as necessary. \xc2\xa0\n\nThe results of our audit disclosed:\n\n       \xe2\x80\xa2    ACT, a system critical to PBGC\xe2\x80\x99s mission and core function, had no risk assessment,\n            security plan or privacy impact assessment.\n\n\n1   Estimates vary up to 1.3 million, as noted in the annual PBGC Management Report\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                                  Page 1\n\x0c   \xe2\x80\xa2   ACT is not scanned on a periodic basis; the system shares the same vulnerabilities as the\n       PBGC network. In Fiscal Years 2008 and 2009 OIG reported a significant number of high\n       and medium vulnerabilities on the PBGC network.\n   \xe2\x80\xa2   PBGC computers used in the transfer of ACT data and ACT backup tapes were not\n       encrypted, thereby putting PII data at risk.\n   \xe2\x80\xa2   ACT\xe2\x80\x99s database files were not always password protected. As a result, loss or theft of ACT\n       data could compromise participant PII.\n\nWe recommend that PBGC:\n\n   \xe2\x80\xa2   Identify all Microsoft Access files that are not password protected and immediately\n       implement password and access controls to ensure the protection of participant PII.\n\n   \xe2\x80\xa2   Reclassify ACT as a major system and complete a Certification and Accreditation review\n       based on FIPS 199, NIST standards and OMB guidance including risk identification,\n       assessment and mitigation.\n\n   \xe2\x80\xa2   Review the facts surrounding PBGC\xe2\x80\x99s incorrect classification of ACT as a minor application\n       and document a determination of whether additional controls over the classification process\n       are needed.\n\n   \xe2\x80\xa2   Conduct scanning on a periodic basis and timely mitigate vulnerabilities in accordance with\n       NIST guidance.\n\n   \xe2\x80\xa2   Implement encryption on all PBGC laptops and storage media that handle PII.\n\xc2\xa0\nAgency Response:\n\nIn its September 9, 2010 response to the draft report PBGC concurred with the report findings and\nrecommendations. See Appendix D for PBGC\xe2\x80\x99s full response.\n\nOIG Evaluation of Agency Response:\n\nWe accept PBGC\xe2\x80\x99s decision for the five recommendations included in this report. PBGC informed\nOIG that management has already completed the necessary steps to resolve recommendation 1 and\nhas password protected 584 databases. OIG will follow-up on PBGC\xe2\x80\x99s corrective actions for\nrecommendation 1 and the other recommendations outlined in this report. We appreciate PBGC\xe2\x80\x99s\ncooperation throughout this audit.\n\xc2\xa0\n\xc2\xa0\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                             Page 2\n\x0cTable of Contents\n\nResults In Brief ........................................................................................................................... 1\nBackground and Objectives ...................................................................................................... 4\nParticipants\xe2\x80\x99 Personally Identifiable Information Is At Risk ...................................................6\nRecommendation 1 .................................................................................................................. 10\nRecommendation 2.................................................................................................................. 10\nRecommendation 3.................................................................................................................. 11\nRecommendation 4.................................................................................................................. 11\nRecommendation 5.................................................................................................................. 12\nAPPENDIX A - Scope and Methodology ............................................................................... 13\nAPPENDIX B - Comparison of Information System Inventory Survey (ISIS) vs. PBGC\nInformation Assurance Handbook (IAH) Policy ................................................................... 14\nAPPENDIX C - FIPS 199 Chart .............................................................................................. 15\nAPPENDIX D - PBGC Response ........................................................................................... 17\n\xc2\xa0\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                                                                    Page 3\n\x0cBackground and Objectives\nBackground\n\nThe Pension Benefit Guaranty Corporation (PBGC) protects the retirement incomes of nearly 44\nmillion American workers in more than 29,000 private-sector defined benefit pension plans. PBGC\nwas created by the Employee Retirement Income Security Act of 1974 to encourage the\ncontinuation and maintenance of private-sector defined benefit pension plans, provide timely and\nuninterrupted payment of pension benefits, and keep pension insurance premiums at a minimum.\nDefined benefit pension plans promise to pay a specified monthly benefit at retirement, commonly\nbased on salary and years on the job.\n\nPBGC pays monthly retirement benefits, up to a guaranteed maximum, established by law. The\nCorporation calculates benefits using ACT, a Microsoft based application that resides on PBGC\xe2\x80\x99s\nnetwork. ACT is used by 110 actuaries to calculate benefits and generate benefit statements.\nApproximately 3,500 plans and 1 million participant valuations have been calculated using ACT.\n\nACT captures and stores PII information, such as name, Social Security Number (SSN), hire date\nand retirement date, in a Microsoft Access database. Benefit calculations are performed using\nMicrosoft Excel spreadsheets. Access is a small database system, which allows users to create a\nsmall-medium sized database with minimum security features; Access is not a true Database\nManagement System.\n\nThe Office of Management and Budget (OMB) defines PII as information that can be used to\ndistinguish or trace an individual\xe2\x80\x99s identity, such as their name or SSN, alone, or when combined\nwith other personal or identifying information linked or linkable to a specific individual, such as date\nand place of birth.\n\nFrom 1996 to 2004, ACT served as PBGC\xe2\x80\x99s primary valuation system. In 1999, PBGC recognized a\nnumber of drawbacks with the spreadsheet approach and decided to replace ACT with a new\nvaluation system called Ariel. PBGC management believed that Ariel would improve the timeliness\nof benefit determinations and improve the reliability and security of participant data. PBGC then\ncontracted with a Canadian firm to develop and implement Ariel. Agency officials initially believed\nAriel would replace the ACT application, with the result that ACT would be used only in limited\ncases. However, ACT\xe2\x80\x99s usage did not significantly decline, despite the agency\xe2\x80\x99s direction that\nvaluations should be calculated using Ariel, as shown by the chart below.\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                                Page 4\n\x0cBy 2008, development and implementation costs for Ariel exceeded $31 million. Due to Ariel not\ndelivering expected performance gains, the Corporation made a decision to transition back to ACT,\nthe system first used in 1996. PBGC was aware that ACT presented information technology\nsecurity challenges. PBGC\xe2\x80\x99s own cost benefit analysis highlighted ACT\xe2\x80\x99s security limitations.\nAdditionally, OIG\xe2\x80\x99s report2 addressing Ariel\xe2\x80\x99s development and cost also highlighted ACT\xe2\x80\x99s security\nweaknesses. Nevertheless, PBGC did not take action to adequately mitigate the risk or to classify\nACT appropriately, in light of the extensive PII it contained.\n\nObjectives\n\nOur audit objective was to evaluate concerns raised by the whistleblower dealing with protection of\nPII in ACT, including determining whether PBGC had taken steps to ensure that ACT met FISMA\nrequirements and best practices. Specific objectives included:\n    1. Assessing PBGC\xe2\x80\x99s management of the data transition from Ariel to ACT; and\n    2. Determining whether the Chief Technology Officer had issued a waiver to delay compliance\n       with FISMA for the ACT system.\nAudit fieldwork was performed from October 2009 through June 2010. The audit was conducted in\naccordance with Generally Accepted Government Auditing Standards and applicable OIG policies\nand procedures. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our conclusions\nbased on our audit objectives.\n\n2See OIG Report Ariel Application System Post Implementation Audit, (Report # 2007-7/IT-0020, August 21, 2007)\nhttp://oig.pbgc.gov/audit/2007/pdf/IT-0020.pdf\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                                                 Page 5\n\x0cFinding and Recommendations\nParticipants\xe2\x80\x99 Personally Identifiable Information is at Risk.\n\nPBGC has not implemented adequate controls to protect the Personally Identifiable Information\n(PII) in its automated Actuarial Calculation Toolkit (ACT). Because ACT was classified as a minor\nsystem, \xe2\x80\x9ca tool kit,\xe2\x80\x9d the Corporation did not perform the security assessment mandated by federal\nstandards. As a result the PII of approximately 1 million participants is currently at risk for\nimproper review and disclosure.\n\nAgency officials describe ACT as a system used by actuaries to value pension plans and calculate\nbenefits for individual participants. ACT is a series of PBGC customized Microsoft applications\ndesigned to meet its unique business processes. Valuations for entire plans are stored in Microsoft\nAccess databases and contain participants PII such as Social Security Number (SSN), name, date of\nhire, date of birth and salary information. The Corporation utilizes Microsoft Excel spreadsheets\n(which also contain PII) to calculate an individual participant\xe2\x80\x99s final benefit.\n\nOIG reviewed the Information System Inventory Survey (ISIS) and PBGC Information Assurance\nHandbook (IAH) Volume 18 Section II \xe2\x80\x9cInventory Management Procedures\xe2\x80\x9d and determined that\nPBGC did not abide by its own policy and procedures. In direct contradiction with PBGC\xe2\x80\x99s own\npolicies, agency officials classified ACT as a minor system. According to PBGC\xe2\x80\x99s IAH Volume 18-\nSection II \xe2\x80\x9cInventory Management Procedures,\xe2\x80\x9d minor information systems may not contain,\nprocess or transmit Personally Identifiable Information and must address the minimum control\nbaseline required by its FIPS-199 security category.\n\nThe ISIS includes PBGC\xe2\x80\x99s justification for classifying ACT as a minor system. The ISIS is an\ninformation collection tool used to assist in the identification and characterization of PBGC\ninformation resources. The ISIS was prepared by the Office of Information Technology (OIT) with\nlittle or no collaboration with key stakeholders. Further, management did not maintain supporting\ndocumentation to support ACT\xe2\x80\x99s classification as a minor application. According to PBGC\nmanagement the ISIS mainly serves as a working document and system categorization worksheet for\nthe system owner(s). That is, the basis for the decision to categorize a system containing PII for\napproximately 1 million participants was undocumented; further, no evidence existed that the\ndecision was subject to any supervisory review.\n\nFederal Information Processing Standards (FIPS) 199 states: \xe2\x80\x9cThe security categories are based on\nthe potential impact on an organization should certain events occur which jeopardize the\ninformation and information systems needed by the organization to accomplish its assigned mission,\nprotect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect\nindividuals. Security categories are to be used in conjunction with vulnerability and threat\ninformation in assessing the risk to an organization.\xe2\x80\x9d\n\nWe also observed that PBGC classified ACT as a moderate potential impact under each of the three\nFIPS security objectives: confidentiality, integrity and availability.\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                              Page 6\n\x0c    \xe2\x80\xa2   Confidentiality\n        The unauthorized disclosure of information could be expected to have a serious adverse\n        effect on organizational operations, organizational assets, or individuals.\n    \xe2\x80\xa2   Integrity\n        The unauthorized modification or destruction of information could be expected to have a\n        serious adverse effect on organizational operations, organizational assets, or individuals.\n    \xe2\x80\xa2   Availability\n        The disruption of access to or use of information or an information system could be\n        expected to have a serious adverse effect on organizational operations, organizational assets,\n        or individuals. (See Appendix C for a complete listing of FIPS 199 classifications)\n\nAs noted by the FIPS categorizations, PBGC felt that the disclosure, modification or loss of access\nto ACT data would have a serious adverse effect to the agency. Despite the classification PBGC\nfailed to complete a risk assessment, security plan or privacy impact assessment.\n\n\nACT files are not password protected.\n\nDuring our review we worked with PBGC personnel to test ACT\xe2\x80\x99s access controls. As part of that\neffort, we were able to circumvent the password control(s). ACT was designed to prompt users for\na password when attempting to open the Microsoft Access file (mdb) directly (i.e. not through the\nArchive/ACT interface). OIG noted that some Microsoft Access files were not password protected\nand could be viewed simply by clicking on the file. Therefore, if an ACT file was ever lost or stolen\na perpetrator would have full access to all the PII associated with an entire plan. Generally, each\nMicrosoft Access file contains an entire plan.\n\nPBGC responded to OIG\xe2\x80\x99s inquiries stating that the passwords were not intended to restrict access\nrather it was designed to protect unintentional actuarial data errors. PBGC officials explained that\nthe passwords were designed to ensure that actuaries modify ACT data only through the tool rather\nthan making changes in the source file (Access database). PBGC stated that agency officials will\nensure going forward that all newly created ACT database files have a password.\n\nOIG also observed that ACT does not have adequate logging and monitoring controls. Specifically,\nACT does not have an automated mechanism in place to document who accessed files, what records\nwere reviewed, added or modified, what changes to formulas were made or whether data was\ndownloaded to an unauthorized form of media (i.e. unencrypted thumb drive).\n\nData integrity and confidentiality should be enforced by access controls. Protecting PII such as\nnames, dates of birth and SSNs in federal systems is critical because its loss or unauthorized\ndisclosure can lead to serious consequences for individuals. These consequences include identity\ntheft or other fraudulent activity, which can result in substantial harm, embarrassment, and\ninconvenience to both the individual and PBGC.\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                               Page 7\n\x0cPBGC did not complete a Certification and Accreditation on ACT\n\nPBGC has not fully assessed the risk associated with using ACT as the agency\xe2\x80\x99s primary valuation\nsystem. The Privacy Act of 1974 and the E-Government Act of 2002 require federal agencies to\nprotect personal information, including ensuring its security. Additionally, the Federal Information\nSecurity Management Act of 2002 (FISMA) requires agencies to develop, document, and implement\nagency wide programs to provide security for their information and information systems (which\ninclude PII and the system on which it resides).\n\nIn 2008 due to Ariel\xe2\x80\x99s high cost3 PBGC made a decision to transition back to ACT. At a minimum\nin 2008, agency officials should have reclassified ACT as a major system and performed the security\nassessments required by Office of Management and Budget (OMB) Circular A-130 Appendix III\nand PBGC requirements. This did not occur and as a result PBGC has not adequately secured PII\nin ACT.\n\nNational Institute of Standards and Technology (NIST) Special Publication 800-30 \xe2\x80\x9cRisk\nManagement Guide for Information Technology Systems\xe2\x80\x9d states that risk management plays a\ncritical role in protecting an organization\xe2\x80\x99s assets and therefore its mission from IT related-risk.\nNIST describes risk management as the process of identifying risk, assessing risk and taking steps to\nreduce risk to an acceptable level.\n\nACT is classified as a toolkit in the Benefit Calculation Application (BCA) Ariel suite. We reviewed\nthe security plan, risk assessment and privacy impact assessment for the BCA Ariel suite and\ndetermined that these documents only make brief references to ACT while Ariel is discussed in\ndetail. It should also be noted that ACT and Ariel do not share the same system boundaries. Ariel\nis administered by a Canadian company, Morneau Sobeco and the system is located on servers in\nCanada. In contrast, ACT is a PBGC developed application secured by PBGC\xe2\x80\x99s network in\nWashington, DC; therefore, both systems should not be included in the same suite of applications.\nBecause ACT serves as the primary valuation system for PBGC and supports core mission\nfunctions, a full certification and accreditation of the system is needed. See chart below for a\ncomparison of PBGC Actuarial Systems:\n\n                                                                Ariel                                    ACT\nNumber of Plans                                          195 plans (1 active)                         3534 plans4\nNumber of Participants                                  Approximately 217,300                    Approximately 1 million\nDeveloped by                                              Morneau Sobeco                                PBGC\nDocumented Access Control                                     In place                                   None\nDocumented Audit and Accountability                           In place                                   None\nDocumented Certification and                                  In place                                   None\nAccreditation\nDocumented Configuration                                          In place                                   None\nManagement\nDocumented Contingency Planning                                   In place                                   None\n\n3 See OIG Report Ariel Application System Post Implementation Audit, (Report # 2007-7/IT-0020, August 21, 2007)\nhttp://oig.pbgc.gov/audit/2007/pdf/IT-0020.pdf\n4 PBGC officials reported.\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                                                  Page 8\n\x0cDocumented Identification and                                       In place                                     None\nAuthentication\nDocumented Incident Response                                        In place                                     None\nDocumented Maintenance                                              In place                                     None\nDocumented Media Protection                                         In place                                     None\n\nIn a GAO report, Identity Theft-Governments Have Acted to Protect Personally Identifiable Information, but\nVulnerabilities Remain (GAO 09-759T, June, 2009), GAO states:\n\n         \xe2\x80\xa6it is important for agencies to safeguard their systems against risks such as loss or\n         theft of resources (such as federal payments and collections), modification or\n         destruction of data, and unauthorized uses of computer resources or to launch\n         attacks on other computer systems. Without such safeguards, sensitive information,\n         such as taxpayer data, Social Security records, medical records, and proprietary\n         business information could be inappropriately disclosed, browsed, or copied for\n         improper or criminal purposes including identity theft.\n\nPBGC did not complete a risk assessment on ACT and without a comprehensive risk assessment,\nmanagement is unable to ensure the security of participants PII in ACT. Additionally PBGC cannot\ntake action to mitigate identified risks.\n\nACT is not scanned periodically\n\nACT is not scanned on a periodic basis and shares the same vulnerabilities as the PBGC network.\nOIG met with several agency officials who told us \xe2\x80\x9cACT is as secure as the PBGC network.\xe2\x80\x9d OIT\nsecurity management informed us that system scans are not performed on ACT because it is not an\napplication and \xe2\x80\x9cthe tool\xe2\x80\x9d resides on the PBGC General Support System (GSS). Had ACT been\nclassified as a major application NIST guidance would have required periodic scanning; PBGC\ninstead incorrectly relied on the scans of the GSS. During the FY 2009 FISMA review OIG\ncontracted with an Independent Public Accounting (IPA) firm to scan the PBGC network for\nvulnerabilities. These scans identified a significant number of high and medium vulnerabilities,\nincluding in the GSS, some of which we previously reported earlier this year5. Thus, reliance on the\nsecurity of the GSS is misplaced.\n\nMoreover, the IPA identified persistent computer security weaknesses that continue to jeopardize\nthe security of the PBGC network and PII. System scan results should be included as part of an\noverall risk assessment. When scans are not performed, known threats and vulnerabilities may not\nbe identified and mitigated. ACT is equally secure as the PBGC network, according to agency\nofficials. Based on our audit work, ACT data is at risk of being lost, stolen and otherwise\ncompromised.\n\nLaptop and storage media are not encrypted\n\nDuring our review we observed PII data being transferred from Ariel to ACT via an unencrypted\nlaptop. We were informed that PII data is immediately removed after being uploaded to the PBGC\n\n5See OIG Report Fiscal Year 2009 Vulnerability Assessment, Penetration Testing and Social Engineering Report (Report # Eval-\n2010-6/GA-09-64-6, March 2, 2010) http://oig.pbgc.gov/audit/2010/pdf/FA-09-64-6.pdf\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                                                     Page 9\n\x0cnetwork, where ACT resides. While data is encrypted (using Citrix technology) during transmission,\nthe use of laptop without encryption6 to transfer PII potentially exposes the data to unauthorized\ntheft or loss.\n\nPBGC has experienced the loss of unencrypted PII data. In July 2008 an employee of a PBGC\ncontractor left a thumb drive with unencrypted PII data in a commuter train parking lot. Although\nthis data did not come from ACT this incident shows the potential risk of transporting unencrypted\nPII.\n\nOMB memorandum M-06-16 \xe2\x80\x9cProtection of Sensitive Agency Information\xe2\x80\x9d directs agencies to verify that\nexisting organizational policy adequately addresses the information protection needs associated with\nPII that is accessed remotely or physically removed. In addition, M-06-16 recommends that\nagencies use a NIST checklist included in the memorandum. The NIST checklist states that agencies\nshould verify that information requiring protection is appropriately categorized as such and that it is\nassigned an appropriate risk and impact.\n\nRecommendations\n\n\nRecommendation 1:\nIdentify all Microsoft Access files that are not password protected and immediately implement\npassword and access controls to ensure the protection of participant PII. (OIG Control Number\nOIT-112)\n\nPBGC Response:\n\n          Management agrees with the recommendation to password protect all ACT\n          databases and has already completed this work. Until we put boundaries around the\n          ACT files, we are limited in our ability to put further access controls in place.\n\nOIG Evaluation: We concur with PBGC\xe2\x80\x99s response.\n\nRecommendation 2:\nReclassify ACT as a major system and complete a Certification and Accreditation review based on\nFIPS 199, NIST standards and OMB guidance including risk identification, assessment and\nmitigation. (OIG Control Number OIT-113)\n\nPBGC Response:\n\n          Management agrees in general with this recommendation. However, steps are\n          required before we can accurately classify ACT and complete a C&A. Until\n          boundaries are in place, the classification of ACT cannot be properly done (the\n\n\n6Encryption can be used to protect data \xe2\x80\x9cat rest\xe2\x80\x9d, such as files on computers and storage devices. The International Information\nSystems Security Certification Consortium (issuers of the Certified Information Systems Security Professional, CISSP) defines\nencryption as: the use of algorithms to encode data in order to render a message or other file readable only for the intended recipient.\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                                                             Page 10\n\x0c       current boundary is the General Support System). We are working through\n       prioritizing the work with all of the other OIT initiatives that are underway.\n\n       Additionally, PBGC will need to evaluate the availability and timing of a new\n       solution after ACT. PBGC will need to judge whether the effort, time and cost to\n       perform a full C&A on ACT (once boundaries are put in place) is prudent if a new\n       solution will be available within an acceptable timeframe. PBGC will document that\n       decision, if it comes to this. As timing becomes more definitive on all of the above,\n       we will update OIG on progress.\n\nOIG Evaluation: We concur with PBGC\xe2\x80\x99s response.\n\nRecommendation 3:\nReview the facts surrounding PBGC\xe2\x80\x99s incorrect classification of ACT as a minor application and\ndocument a determination of whether additional controls over the classification process are needed.\n(OIG Control Number OIT-114)\n\nPBGC Response:\n\n       Management suggests that as an alternative to the recommendation is to\n       acknowledge that additional controls are needed over the classification process. We\n       are working on redoing our Information Assurance Handbook and the Registration\n       Process for systems. It is envisioned that classification determinations will need to be\n       signed off by the System Owner and the CIO (or Deputy CIO) as added controls.\n       The revised Information Assurance Handbook and the new Registration Process\n       should be in place by December 2010.\n\nOIG Evaluation: We concur with PBGC\xe2\x80\x99s response.\n\nRecommendation 4:\nConduct scanning on a periodic basis and timely mitigate vulnerabilities in accordance with NIST\nguidance. (OIG Control Number OIT-115)\n\nPBGC Response:\n\n       Management agrees with this, but again, this can only be done once a boundary can\n       be established for the ACT files. Until that time, ACT files must rely on the scanning\n       done for the General Support Systems.\n\nOIG Evaluation: We concur with PBGC\xe2\x80\x99s response.\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                               Page 11\n\x0cRecommendation 5:\nImplement encryption on all PBGC laptops and storage media that handle PII. (OIG Control\nNumber OIT-116)\n\nPBGC Response:\n\n       Management agrees with this recommendation and is working to complete this by\n       the end of December 2010 for laptops as well as external storage media that BAPD\n       employees and contractors use to transport PII data.\n\nOIG Evaluation: We concur with PBGC\xe2\x80\x99s response.\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                          Page 12\n\x0cAPPENDIX A - Scope and Methodology\nWe initiated this audit after receipt of a whistleblower complaint. The whistleblower alleged that participant\ndata was being transferred to an unsecured, non-compliant application (ACT). In addition the complainant\nstated that the Chief Technology Officer (CTO) issued a waiver permitting PBGC to delay compliance with\nthe Federal Information Security Management Act (FISMA) requirements.\n\nOur audit objective is to address concerns raised by a whistleblower dealing with protection of PII\nin ACT, including determining whether PBGC has taken steps to ensure that ACT meets FISMA\nrequirements and best practices. Work was performed at the Pension Benefit Guaranty Corporation\nHeadquarters in Washington D.C. To accomplish our objectives we:\n\n   \xe2\x80\xa2   Conducted Interviews of management and Staff;\n   \xe2\x80\xa2   Reviewed Prior Years\xe2\x80\x99 Audit Reports;\n   \xe2\x80\xa2   Reviewed Laws and Regulations;:\n   \xe2\x80\xa2   Reviewed PBGC Policy and Procedures.\n\nThe audit was conducted in accordance with Generally Accepted Government Auditing Standards\nand in accordance with the OIG policies and procedures. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our conclusions based on our audit objectives.\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                              Page 13\n\x0cAPPENDIX B \xe2\x80\x93 Comparison of Information System Inventory Survey (ISIS) vs. PBGC\nInformation Assurance Handbook (IAH) Policy\n\nInformation Reported in the          ACT               PBGC IAH Policy:\nISIS:                                classification:\nACT contains information that        Minor System      FOIA is a statutory obligation to which\nthe disclosure of which is                             PBGC is required to abide; therefore, the\nprohibited by a federal statute                        Senior Agency Information Security\nother than the Freedom of                              Officer (SAISO) considers information\nInformation ACT (FOIA)                                 protected by the FOIA as \xe2\x80\x9cMajor\n                                                       Information\xe2\x80\x9d requiring special\n                                                       management attention. There are also\n                                                       myriad federal laws that exempt categories\n                                                       of information from disclosure. The\n                                                       policies underlying these exemptions are\n                                                       varied but the rationale for exemption is\n                                                       that certain information in the possession\n                                                       of the federal government should remain\n                                                       confidential and not be disclosed to the\n                                                       public. Therefore, the confidentiality of\n                                                       this information must be protected from\n                                                       disclosure when stored electronically.\n                                                       Because Federal policy dictates that this\n                                                       information must be protected from\n                                                       disclosure, systems containing\n                                                       information covered by these laws will\n                                                       generally require special management\n                                                       attention.\n\nThe system (ACT) contains PII        Minor System      A PBGC information system with the\nwithin any database records, files                     following characteristics may be\nor documents.                                          determined to be a major information\n                                                       system: A key resource, or critical\n                                                       infrastructure, or critical infrastructure\n                                                       information, or \xe2\x80\xa6contains Privacy Act or\n                                                       Personally Identifiable Information (PII)\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                         Page 14\n\x0cAPPENDIX C - FIPS 199 Chart\nThe chart below from FIPS 199 summarizes the potential impact definitions for each security\nobjective\xe2\x80\x94confidentiality, integrity, and availability.\n\n                                      POTENTIAL IMPACT\n          Security Objective                    LOW         MODERATE                   HIGH\n Confidentiality                        The unauthorized  The unauthorized       The\n Preserving authorized restrictions on disclosure of      disclosure of          unauthorized\n information access and disclosure,     information could information could      disclosure of\n including means for protecting         be expected to    be expected to         information\n personal privacy and proprietary       have a limited    have a serious         could be\n information.                           adverse effect on adverse effect on      expected to\n [44 U.S.C. \xc2\xa7 3542]                     organizational    organizational         have a severe\n                                        operations,       operations,            or catastrophic\n                                        organizational    organizational         adverse effect\n                                        assets, or        assets, or             on\n                                        individuals.      individuals.           organizational\n                                                                                 operations,\n                                                                                 organizational\n                                                                                 assets, or\n                                                                                 individuals.\n Integrity                               The unauthorized    The unauthorized    The\n Guarding against improper               modification or     modification or     unauthorized\n information modification                destruction of      destruction of      modification or\n or destruction, and includes ensuring   information could information could destruction of\n information non-repudiation and         be expected to      be expected to      information\n authenticity.                           have a limited      have a serious      could be\n [44 U.S.C. \xc2\xa7 3542]                      adverse effect on   adverse effect on   expected to\n                                         organizational      organizational      have a severe\n                                         operations,         operations,         or catastrophic\n                                         organizational      organizational      adverse effect\n                                         assets, or          assets, or          on\n                                         individuals.        individuals.        organizational\n                                                                                 operations,\n                                                                                 organizational\n                                                                                 assets, or\n                                                                                 individuals.\n Availability                            The disruption of   The disruption of   The disruption\n Ensuring timely and reliable access     access to or use of access to or use of of access to or\n to and use of information.              information or an   information or an   use of\n [44 U.S.C. \xc2\xa7 3542]                      information system information system information or\n                                         could be expected could be expected an information\n                                         to have a limited   to have a serious   system could be\n                                         adverse effect on   adverse effect on   expected to\n\n\nOIG Report AUD-2010-9 / IT-09-67                                                          Page 15\n\x0c                                   organizational   organizational   have a severe\n                                   operations,      operations,      or catastrophic\n                                   organizational   organizational   adverse effect\n                                   assets, or       assets, or       on\n                                   individuals.     individuals.     organizational\n                                                                     operations,\n                                                                     organizational\n                                                                     assets, or\n                                                                     individuals.\n\n\n\n\nOIG Report AUD-2010-9 / IT-09-67                                           Page 16\n\x0cAPPENDIX D \xe2\x80\x93 PBGC Response\n\n\n\n\n  OIG Report AUD-2010-9 / IT-09-67   Page 17\n\x0cOIG Report AUD-2010-9 / IT-09-67   Page 18\n\x0cOIG Report AUD-2010-9 / IT-09-67   Page 19\n\x0cOIG Report AUD-2010-9 / IT-09-67   Page 20\n\x0cOIG Report AUD-2010-9 / IT-09-67   Page 21\n\x0cOIG Report AUD-2010-9 / IT-09-67   Page 22\n\x0cIf you want to report or discuss confidentially any instance\n of misconduct, fraud, waste, abuse, or mismanagement,\n      please contact the Office of Inspector General.\n\n\n\n                       Telephone:\n            The Inspector General\xe2\x80\x99s HOTLINE\n                    1-800-303-9737\n\n  The deaf or hard of hearing, dial FRS (800) 877-8339\n   and give the Hotline number to the relay operator.\n\n\n\n                           Web:\n       http://oig.pbgc.gov/investigation/details.html\n\n\n\n                         Or Write:\n          Pension Benefit Guaranty Corporation\n               Office of Inspector General\n                     PO Box 34177\n             Washington, DC 20043-4177\n\x0c'